Hello,

My domain is: https://staging-game.play-elements.xyz/

I ran this command: sudo certbot --nginx -d staging-game.play-elements.xyz
It produced this output:

sudo certbot --nginx -d staging-game.play-elements.xyz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/staging-game.play-elements.xyz.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for staging-game.play-elements.xyz

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/staging-game.play-elements.xyz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/staging-game.play-elements.xyz/privkey.pem
This certificate expires on 2024-02-23.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for staging-game.play-elements.xyz to /etc/nginx/sites-enabled/elements-cop
Your existing certificate has been successfully renewed, and the new certificate has been installed.

ls /etc/letsencrypt/live/staging-game.play-elements.xyz-0001
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

The certificates are generated and I'm able to setup an nginx to serve a static index.html page over https (disabled for the current test). But when I start a very simple websocket test server (with nginx stopped), I can't manage to connect.

• In chrome, the websocket connection fails with this not-helpful message:

test.html:13 WebSocket connection to 'wss://staging-game.play-elements.xyz/' failed: 
(anonymous) @ test.html:13
test.html:28 WebSocket connection closed

• using websocat, it fails with:

websocat wss://174.138.14.64:443/
websocat: WebSocketError: WebSocket SSL error: The certificate was not trusted.
websocat: error running

My web server is (include version): node v12.22.9

The server code is:

const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('/etc/letsencrypt/live/staging-game.play-elements.xyz-0001/privkey.pem'),
  cert: fs.readFileSync('/etc/letsencrypt/live/staging-game.play-elements.xyz-0001/fullchain.pem'),
};

const server = https.createServer(options, (req, res) => {
  res.writeHead(200, { 'Content-Type': 'text/plain' });
  res.end('Hello, secure world!\n');
});

server.listen(443, () => {
  console.log('HTTPS server listening ');
});

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is: digital ocean, no firewall

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 2.7.4

So if we belive the websocat output, could it be a certificate issue? If then, how to check that?
I did some research, and found it should be fine since I'm using the fullchain file

Hi @ramabouda, and welcome to the LE community forum

The certificate you just received:

Is NOT the certificate you are using here:
[notice the extra -0001 in the path]

Please show the output of:

certbot certificates

The certificate you just received Is NOT the certificate you are using here

Right, this was not the exact log I got when generating the -0001 certificate.
I previously generated a certificate (the one from the logs) with an older version of certbot that I deleted, then tried to see if it helped to remove certbot and reinstall a newer version using snap. This new version created the certificate with a -0001 in the name. I don't have any other certificate on disk AFAIK and this one is the last one I generated.

As requested:

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: staging-game.play-elements.xyz-0001
    Serial Number: 44a413f24ab8de66b73595d0d1d1b25e52a
    Key Type: ECDSA
    Domains: staging-game.play-elements.xyz
    Expiry Date: 2024-02-23 22:02:36+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/staging-game.play-elements.xyz-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/staging-game.play-elements.xyz-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

That seems to be making a call directly to the IP [not the name].
If so, that will surely always return:

I agree with my fellow volunteer that using the IP address instead of the hostname is likely the issue here: this is because the certificate is only valid for the subject alternative names listed on the certificate and the IP address is not part of that. (Note that it is possible to include IP addresses in the SAN of certificates, but Let's Encrypt does not offer that.)

That said:

Please don't forcibly renew an already perfectly fine certificate in the future: it does not help in the slightest: you'd simply get an almost identical certificate, which does not help at all. It only adds more load to the Let's Encrypt systems and can lead to you hitting rate limits.

That was indeed the issue, it makes total sense. A huge thank you for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.